login using Azure Workload ID when available

hack/ensure-azcli.sh

@@ -25,5 +25,10 @@ if [[ -z "$(command -v az)" ]]; then
   AZ_REPO=$(lsb_release -cs)
   echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ ${AZ_REPO} main" | tee /etc/apt/sources.list.d/azure-cli.list
   apt-get update && apt-get install -y azure-cli
-  az login --service-principal -u "${AZURE_CLIENT_ID}" -p "${AZURE_CLIENT_SECRET}" --tenant "${AZURE_TENANT_ID}" > /dev/null
+  if [[ -n "${AZURE_WORKLOAD_ID:-}" ]]; then
+    # TODO: federated token should also be fetched from the workload identity file
+    az login --service-principal -u "${AZURE_WORKLOAD_ID}" -t "${AZURE_TENANT_ID}" --federated-token "$(cat /var/run/secrets/azure-token/serviceaccount/token)" > /dev/null
+  else
+    az login --service-principal -u "${AZURE_CLIENT_ID}" -p "${AZURE_CLIENT_SECRET}" --tenant "${AZURE_TENANT_ID}" > /dev/null
+  fi
 fi